Password reset form should not leak information
|Reported by:||anonymous||Owned by:||Horst Gutmann|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The provided password reset form leaks information about enrolled users by providing information as to whether an email is enrolled. This is obviously untenable for any site with even moderate confidentiality requirements.
Correct behavior is to display the same result regardless of whether an email is found in the database.
Change History (10)
comment:4 Changed 4 years ago by
|Owner:||changed from nobody to Horst Gutmann|
|Status:||new → assigned|